Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Preserve source hostname with f5 and rsyslog

vonsolo29
Explorer
‎01-03-2019 06:14 PM

We are in the process of using two syslog servers to collect network data. We have an F5 that we use to load balance traffic to the two syslog servers. Data coming into the syslog servers from the F5 has the loadbalancer ip and not the source ip. How do we get around this since our templates/filters are looking for hostname or source ip to filter data.

0 Karma
Reply

FrankVl
Ultra Champion
‎01-07-2019 12:47 AM

If it is UDP syslog, you can simply configure the F5 to keep the original IP address and not perform Source-NAT.

For TCP that is a bit more complicated, since TCP requires two-way communication and the responses from your syslog servers also need to run through your F5's, otherwise the sending devices will get confused as they get TCP responses from an unknown IP. It is possible though. I believe you need to put the F5 and your syslog servers in the same subnet and make the F5 the default gateway of your syslog servers. For details you probably best talk to the team managing your F5's, this is not really a Splunk issue.

Alternatively of course, you can try to make sure that all the original syslog devices properly put their hostname in the message. So you can use that, instead of the IP/hostname observed from the network layer.

0 Karma
Reply

ewan000
Path Finder
‎01-04-2019 01:10 AM

Does your f5 add a "fowarded for:" header? this is the usual way of passing the ip to receiving servers and you could capture and log it

0 Karma
Reply

ewan000
Path Finder
‎01-04-2019 01:12 AM

sorry i missed the syslog part, check this out https://serverfault.com/questions/307355/syslog-forwarding-loses-original-hostname

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...